In case you find roundcube, opencloud or any other software working under apache/mod_security server having issues or strange behaviour check /var/log/httpd/modsec_audit.log for errors.
In my case I was not able to send/forward emails with national ("non-english") characters in the message content.
Some of the mod_security rules are outdated and they can produce false-positives.
Sample issue:
Message: Access denied with code 403 (phase 2). Pattern match "\\W{4,}" at ARGS:_message. [file "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data "Matched Data: ):\x0d\x0a> found within ARGS:_message:...
If you believe that rule is not needed for your application you need to edit httpd.conf and add following rule to your (VirtualHost) config:
SecRuleRemoveById 960024
Restart apache, check if your app works now, if not - check for more issues in modsec_audit.log.
Saturday, August 27, 2016
Sunday, August 7, 2016
Cannot start teamviewer in Fedora 24
Default installation of Teamviewer on Fedora 24 will not start due to SELinux issues.
# systemctl -a | grep teamviewer
teamviewerd.service loaded inactive dead TeamViewer remote control daemon
# systemctl start teamviewerd.service
Job for teamviewerd.service failed because a fatal signal was delivered to the control process. See "systemctl status teamviewerd.service" and "journalctl -xe" for details.
To fix it you can use SELinux GUI tool:
sealert -b
Or CLI tool:
ausearch -c 'teamviewerd'
Or you can check system logs:
# journalctl -xe
aug 04 14:23:17 fedora setroubleshoot[3240]: SELinux is preventing teamviewerd from using the execmem access on a process. For complete SELinux messages. run sealert -l 7c667284-3d59-4c06-9535-2aed4b8015df
aug 04 14:23:17 fedora python3[3240]: SELinux is preventing teamviewerd from using the execmem access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that teamviewerd should be allowed execmem access on processes labeled init_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'teamviewerd' --raw | audit2allow -M my-teamviewerd
# semodule -X 300 -i my-teamviewerd.pp
The solution(shown as a hint in sealert and journalctl), which is to run:
# ausearch -c 'teamviewerd' --raw | audit2allow -M my-teamviewerd
# semodule -X 300 -i my-teamviewerd.pp
After that you should be able to start Teamviewer service:
systemctl start teamviewerd.service
[root ~] # systemctl status teamviewerd.service
● teamviewerd.service - TeamViewer remote control daemon
Loaded: loaded (/etc/systemd/system/teamviewerd.service; enabled; vendor preset: disabled)
Active: active (running) since sun 2016-08-04 14:32:45 CEST; 1min 50s ago
Process: 4228 ExecStart=/opt/teamviewer/tv_bin/teamviewerd -d (code=exited, status=0/SUCCESS)
Main PID: 4230 (teamviewerd)
Tasks: 19 (limit: 512)
CGroup: /system.slice/teamviewerd.service
└─4230 /opt/teamviewer/tv_bin/teamviewerd -d
aug 04 14:32:45 fedora systemd[1]: Starting TeamViewer remote control daemon...
aug 04 14:32:45 fedora systemd[1]: teamviewerd.service: PID file /var/run/teamviewerd.pid not readable (yet?) after start: No such file or directory
aug 04 14:32:45 fedora systemd[1]: Started TeamViewer remote control daemon.
# systemctl -a | grep teamviewer
teamviewerd.service loaded inactive dead TeamViewer remote control daemon
# systemctl start teamviewerd.service
Job for teamviewerd.service failed because a fatal signal was delivered to the control process. See "systemctl status teamviewerd.service" and "journalctl -xe" for details.
To fix it you can use SELinux GUI tool:
sealert -b
Or CLI tool:
ausearch -c 'teamviewerd'
Or you can check system logs:
# journalctl -xe
aug 04 14:23:17 fedora setroubleshoot[3240]: SELinux is preventing teamviewerd from using the execmem access on a process. For complete SELinux messages. run sealert -l 7c667284-3d59-4c06-9535-2aed4b8015df
aug 04 14:23:17 fedora python3[3240]: SELinux is preventing teamviewerd from using the execmem access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that teamviewerd should be allowed execmem access on processes labeled init_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'teamviewerd' --raw | audit2allow -M my-teamviewerd
# semodule -X 300 -i my-teamviewerd.pp
The solution(shown as a hint in sealert and journalctl), which is to run:
# ausearch -c 'teamviewerd' --raw | audit2allow -M my-teamviewerd
# semodule -X 300 -i my-teamviewerd.pp
After that you should be able to start Teamviewer service:
systemctl start teamviewerd.service
[root ~] # systemctl status teamviewerd.service
● teamviewerd.service - TeamViewer remote control daemon
Loaded: loaded (/etc/systemd/system/teamviewerd.service; enabled; vendor preset: disabled)
Active: active (running) since sun 2016-08-04 14:32:45 CEST; 1min 50s ago
Process: 4228 ExecStart=/opt/teamviewer/tv_bin/teamviewerd -d (code=exited, status=0/SUCCESS)
Main PID: 4230 (teamviewerd)
Tasks: 19 (limit: 512)
CGroup: /system.slice/teamviewerd.service
└─4230 /opt/teamviewer/tv_bin/teamviewerd -d
aug 04 14:32:45 fedora systemd[1]: Starting TeamViewer remote control daemon...
aug 04 14:32:45 fedora systemd[1]: teamviewerd.service: PID file /var/run/teamviewerd.pid not readable (yet?) after start: No such file or directory
aug 04 14:32:45 fedora systemd[1]: Started TeamViewer remote control daemon.
Monday, June 13, 2016
fail2ban not working on EL6/Centos 6
I've noticed that fail2ban do not ban every host/IP which it should after a while.
First I checked if my regexps are correct:
fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-auth.conf --print-all-matched
Fortunately I've seen a lot of hits but most of them were not banned.
It appears that fail2ban is having issues monitoring log files.
Quick fix is to change the file monitoring backend from auto to polling.
Python inotify(pyinotify) or gamin may not work properly - you can read more about it here: https://github.com/fail2ban/fail2ban/issues/44
Edit your jail.local file, at the top add the following:
[DEFAULT]
backend = polling
Restart fail2ban and check its log file to see if it bans every IP it should.
First I checked if my regexps are correct:
fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-auth.conf --print-all-matched
Fortunately I've seen a lot of hits but most of them were not banned.
It appears that fail2ban is having issues monitoring log files.
Quick fix is to change the file monitoring backend from auto to polling.
Python inotify(pyinotify) or gamin may not work properly - you can read more about it here: https://github.com/fail2ban/fail2ban/issues/44
Edit your jail.local file, at the top add the following:
[DEFAULT]
backend = polling
Restart fail2ban and check its log file to see if it bans every IP it should.
Saturday, June 11, 2016
using fail2ban to protect postfix/smtpd service
Recently I have found a lot of "lost connection after" entries in /var/log/maillog file:
lost connection after AUTH from unknown[IP.address]
lost connection after CONNECT
lost connection after RCPT
lost connection after STARTTLS
lost connection after UNKNOWN
It's possibly some kind of botnet trying to deliver spam using my mail server.
It won't work but it's still nice to get rid of such clients on the firewall level.
First you need to create a rule for fail2ban - create /etc/fail2ban/filter.d/postfix-auth.conf and put the following config:
# Fail2ban postfix-auth filter
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtpd
failregex = ^%(__prefix_line)slost connection after .*\[<HOST>\]$
ignoreregex =
Next edit /etc/fail2ban/jail.conf and add postfix-auth service at the end of file:
[postfix-auth]
enabled = true
port = smtp,ssmtp
filter = postfix-auth
action = iptables[name=SMTP-auth, port=smtp, protocol=tcp]
logpath = /var/log/maillog
maxretry = 2
bantime = 36000
findtime = 300
Finally restart fail2ban service and check /var/log/messages or iptables to see if your new rule works fine:
service fail2ban restart
grep Ban /var/log/messages
iptables -nvL
/var/log/maillog logpath is for Centos/Redhat.
For other distros make sure to point out proper mail.log file.
lost connection after AUTH from unknown[IP.address]
lost connection after CONNECT
lost connection after RCPT
lost connection after STARTTLS
lost connection after UNKNOWN
It's possibly some kind of botnet trying to deliver spam using my mail server.
It won't work but it's still nice to get rid of such clients on the firewall level.
First you need to create a rule for fail2ban - create /etc/fail2ban/filter.d/postfix-auth.conf and put the following config:
# Fail2ban postfix-auth filter
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtpd
failregex = ^%(__prefix_line)slost connection after .*\[<HOST>\]$
ignoreregex =
Next edit /etc/fail2ban/jail.conf and add postfix-auth service at the end of file:
[postfix-auth]
enabled = true
port = smtp,ssmtp
filter = postfix-auth
action = iptables[name=SMTP-auth, port=smtp, protocol=tcp]
logpath = /var/log/maillog
maxretry = 2
bantime = 36000
findtime = 300
Finally restart fail2ban service and check /var/log/messages or iptables to see if your new rule works fine:
service fail2ban restart
grep Ban /var/log/messages
iptables -nvL
/var/log/maillog logpath is for Centos/Redhat.
For other distros make sure to point out proper mail.log file.
Wednesday, June 8, 2016
How to disable new version notification popup in Sublime Text 3?
If you don't want to see "Update Available" / "A new version of Sublime Text is available" / "An update has been found" and similar annoying notifications try this:
There is an option you could use if you have bought the license - put "update_check": false in Settings - User config file.
This doesn't work for unlicensed copies.
You can still check where Sublime Text 3 is connecting to check the update and block that host on firewall.
In my case blocking 209.20.75.76 worked.
How to block a host in firewalld (Fedora 23)?
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 209.20.75.76 -j DROP
Check /etc/firewalld/direct.xml to see what custom rules have been configured.
There is an option you could use if you have bought the license - put "update_check": false in Settings - User config file.
This doesn't work for unlicensed copies.
You can still check where Sublime Text 3 is connecting to check the update and block that host on firewall.
In my case blocking 209.20.75.76 worked.
How to block a host in firewalld (Fedora 23)?
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 209.20.75.76 -j DROP
Check /etc/firewalld/direct.xml to see what custom rules have been configured.
Thursday, September 10, 2015
Failed login control on RHEL6 with pam_tally2
pam_tally2 module is available in RHEL and CentOS and it can be used to protect your system against bruteforce attacks.
auth required pam_tally2.so onerr=fail deny=3 unlock_time=900
Then add following line on top of the account lines:
account required pam_tally2.so
Parameters to this module are simple:
onerr=fail
If something weird happens (like unable to open the file), return with PAM_SUCCESS if onerr=succeed is given, else with the corresponding PAM error code.
deny=3
Deny access if tally for this user exceeds 3 times.
unlock_time=900
Allow access after 900 seconds (15 minutes) after failed attempt. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts. If this option is not set administrator will need to unlock user's account manually.
Check if you have following options set in /etc/ssh/sshd_config:
UsePAM yes
ChallengeResponseAuthentication yes
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Account locked due to 3 failed logins
Password:
As you can see after third attempt user's account was locked.
# pam_tally2
Login Failures Latest failure From
jsmith 3 09/09/15 15:17:21 evil.attacker.com
To unlock a user use the "-r" flag:
# pam_tally2 -u pajarito -r
Login Failures Latest failure From
jsmith 3 09/09/15 15:20:49 evil.attacker.com
Finally if the output of pam_tally2 is empty it means that no account has been locked.
Enabling pam_tally2
Edit /etc/pam.d/password-auth and add this line on top of the auth lines:auth required pam_tally2.so onerr=fail deny=3 unlock_time=900
Then add following line on top of the account lines:
account required pam_tally2.so
Parameters to this module are simple:
onerr=fail
If something weird happens (like unable to open the file), return with PAM_SUCCESS if onerr=succeed is given, else with the corresponding PAM error code.
deny=3
Deny access if tally for this user exceeds 3 times.
unlock_time=900
Allow access after 900 seconds (15 minutes) after failed attempt. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts. If this option is not set administrator will need to unlock user's account manually.
Check if you have following options set in /etc/ssh/sshd_config:
UsePAM yes
ChallengeResponseAuthentication yes
Testing pam_tally2
login as: pajaritoUsing keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Account locked due to 3 failed logins
Password:
As you can see after third attempt user's account was locked.
Verifying and unlocking users
To check current pam_tally2 statistics run pam_tally2 command:# pam_tally2
Login Failures Latest failure From
jsmith 3 09/09/15 15:17:21 evil.attacker.com
To unlock a user use the "-r" flag:
# pam_tally2 -u pajarito -r
Login Failures Latest failure From
jsmith 3 09/09/15 15:20:49 evil.attacker.com
Finally if the output of pam_tally2 is empty it means that no account has been locked.
Monday, September 7, 2015
Automated partition creation with fdisk and sfdisk
To perform automated partition creation or modification you can pass all the commands via echo directly to fdisk:
echo -e "o\nn\np\n1\n\n\nw" | fdisk /dev/sdc
The commands are:
o - create a new empty DOS partition table
n - add a new partition
p - create primary partition
(enter) - set first cylinder to the default value (1)
(enter) - set the last cylinder to the default value (end of the drive)
w - write table to disk and exit
You can use sfdisk to save the partition table from the already prepared drive and copy it to another.
As you can see below "-d" option will create a text file which can be easily altered if needed.
[root@centos ~]# sfdisk -d /dev/sdb > file
[root@centos ~]# cat file
# partition table of /dev/sdb
unit: sectors
/dev/sdb1 : start= 63, size= 1044162, Id=83
/dev/sdb2 : start= 0, size= 0, Id= 0
/dev/sdb3 : start= 0, size= 0, Id= 0
/dev/sdb4 : start= 0, size= 0, Id= 0
[root@centos ~]# sfdisk /dev/sdc < file
# sfdisk /dev/sdc < file
Checking that no-one is using this disk right now ...
OK
Disk /dev/sdc: 65 cylinders, 255 heads, 63 sectors/track
/dev/sdc: unrecognized partition table type
Old situation:
No partitions found
New situation:
Units = sectors of 512 bytes, counting from 0
Device Boot Start End #sectors Id System
/dev/sdc1 63 1044224 1044162 83 Linux
/dev/sdc2 0 - 0 0 Empty
/dev/sdc3 0 - 0 0 Empty
/dev/sdc4 0 - 0 0 Empty
Warning: no primary partition is marked bootable (active)
This does not matter for LILO, but the DOS MBR will not boot this disk.
Successfully wrote the new partition table
Re-reading the partition table ...
If you created or changed a DOS partition, /dev/foo7, say, then use dd(1)
to zero the first 512 bytes: dd if=/dev/zero of=/dev/foo7 bs=512 count=1
(See fdisk(8).)
echo -e "o\nn\np\n1\n\n\nw" | fdisk /dev/sdc
The commands are:
o - create a new empty DOS partition table
n - add a new partition
p - create primary partition
(enter) - set first cylinder to the default value (1)
(enter) - set the last cylinder to the default value (end of the drive)
w - write table to disk and exit
Quick way to clone partition table from one drive to another
You can use sfdisk to save the partition table from the already prepared drive and copy it to another.
As you can see below "-d" option will create a text file which can be easily altered if needed.
[root@centos ~]# sfdisk -d /dev/sdb > file
[root@centos ~]# cat file
# partition table of /dev/sdb
unit: sectors
/dev/sdb1 : start= 63, size= 1044162, Id=83
/dev/sdb2 : start= 0, size= 0, Id= 0
/dev/sdb3 : start= 0, size= 0, Id= 0
/dev/sdb4 : start= 0, size= 0, Id= 0
[root@centos ~]# sfdisk /dev/sdc < file
# sfdisk /dev/sdc < file
Checking that no-one is using this disk right now ...
OK
Disk /dev/sdc: 65 cylinders, 255 heads, 63 sectors/track
/dev/sdc: unrecognized partition table type
Old situation:
No partitions found
New situation:
Units = sectors of 512 bytes, counting from 0
Device Boot Start End #sectors Id System
/dev/sdc1 63 1044224 1044162 83 Linux
/dev/sdc2 0 - 0 0 Empty
/dev/sdc3 0 - 0 0 Empty
/dev/sdc4 0 - 0 0 Empty
Warning: no primary partition is marked bootable (active)
This does not matter for LILO, but the DOS MBR will not boot this disk.
Successfully wrote the new partition table
Re-reading the partition table ...
If you created or changed a DOS partition, /dev/foo7, say, then use dd(1)
to zero the first 512 bytes: dd if=/dev/zero of=/dev/foo7 bs=512 count=1
(See fdisk(8).)
Subscribe to:
Posts (Atom)